[CentOS] securing ldap with tls and security

Tue May 24 21:12:51 UTC 2011
Paul Heinlein <heinlein at madboa.com>

On Tue, 24 May 2011, David Mehler wrote:

> Having got this far if anyone with a working ldap authentication 
> system could give my config a sanity check let me know. My goal now 
> is to get tls encryption going so that usernames and passwords 
> aren't sent in the clear. I'm using self-signed certificates for 
> now.

This /etc/ldap.conf works well for me on CentOS 5:

----- %< -----
# failover doesn't work using the newer 'uri' directive.
# can go to ldap1; use ldap2 for backup
host ldap1.domain.com ldap2.domain.com
port 389
base dc=domain,dc=com

# encrypt queries over the wire; our servers require it
ssl start_tls
tls_checkpeer yes
tls_cacertdir /etc/openldap/cacerts

# set time limits fairly low to get benefit of failover
bind_timelimit 30
idle_timelimit 120
timelimit 30

# a stock centos/rhel directive; its utility is murky to me
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman
----- %< -----

Prior to switching to LDAP, I download the CA certificate used to sign 
the ldap1 and ldap2 server certs and hash it for OpenSSL. I typically 
do it via the %post section in kickstart:

   curl http://www.domain.com/ca/ca.domain.com.crt \
      -s -o /etc/openldap/cacerts/ca.domain.com.pem

   /usr/sbin/cacertdir_rehash /etc/openldap/cacerts

Paul Heinlein <> heinlein at madboa.com <> http://www.madboa.com/